Cyber Crime Hits Big Time This Year 97
An anonymous reader writes to point out the Washington Post's analysis of this year's spike in junk email and online attacks, such as botnets and worms. Image-embedded spam emails made up an amazing percentage of all messages sent in the months of October and November, and something like four million bots are actively adding to that total. These botnets are also increasingly connected to organized crime, as are 'independent' hacker groups. The article goes on for three pages, and doesn't have a lot of hope that 2007 will look a whole lot better. From the article: "Experts worry that businesses will be slow to switch to the [Windows Vista]. And even if consumers rush to upgrade exiting machines or purchase new ones that include Vista, Microsoft will continue to battle security holes in legacy versions of Microsoft Office, which are expected to remain in widespread use for the next 5-10 years."
"Experts worry that businesses..... (Score:4, Insightful)
Maybe because Vista isn't written for security or for the businessess, or for anyone who buys it, its written for DRM and for the RIAA and MPAA.
Re:"Experts worry that businesses..... (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
RIAA Jim: Hey, we just got some file-sharers here. Quick save the packets and download the files so we can nab them!
RIAA Bob: Umm, Jim, I donno know to do that on this new windows...
RIAA Jim: Idiot, press that button.
RIAA Bob: I did, it just says "you cannot download this file".
Both: WTF?
Sounds like a plan to me.
Crime and technology (Score:5, Insightful)
A large enough number of people for crime to be viable online will stay gullible, no matter what we do.
This is another one of those "Wars" we simply cannot win. We can try to educate the masses, but in general it will not work.
A number of people within any social network will be defrauded somehow, and as they tell their stories (which most of them won't, afraid to seem a fool in the eyes of their peers), eventually these networks will become more resistant to attacks.
We can design tools to help this process. But there will never be a technical tool to stop all, or even a significant amount of the crime and fraud that goes on out there.
It's the American dream - everyone can make it rich, and some people will always think that it's the mail/phonecall/whatever they just received that'll make it happen for them.
Detecting Click Fraud (Score:5, Interesting)
I'm planning to work it into a Defcon 15 submission.
http://www.realmeme.com/roller/page/realmeme/Webl
Re: (Score:3, Interesting)
Many of these referrers tracked back to websites that had no discernable connection to our products -- in fact some were m
Re: (Score:2)
The "American Dream" for the average person is rapidly becoming the notion of actually owning a home without a 75-year or interest-only mortgage.
Thank you Spamthru & Warezov (Score:5, Informative)
We've had a few stories on this before here [slashdot.org] and here [slashdot.org].
Anti-virus needs a new direction. (Score:4, Interesting)
Yet, with a boot CD on Linux, I can inventory everything on the local hard drive and quarantine any suspect files. Yes, including loadable modules for the kernel.
Why aren't we seeing that for Windows? Running an anti-virus app on the system itself is useless if the system can be compromised at a more privileged level than the app is running at.
Not to mention that the users are notorious for NOT keeping their anti-virus apps updated.
And ISP's really should be looking at blocking or actively monitoring outbound connections to port 25. Come on! It's not that difficult.
Re: (Score:3, Interesting)
TLF
Re: (Score:3, Insightful)
And finding one exploitable hole is not difficult. (Score:3, Insightful)
If s/he went legit and tried to sell anti-virus software, s/he would need to be as good or better than all the other virus/worm/trojan writers out there. The payoff vs effort quickly becomes worthless. A little effort for a big payoff is what crime is all about (and a number of other endeavors).
Re: (Score:2)
Re: (Score:2)
That's just not true. If you know assembly language, it should be fairly obvious that it's easy to alter any code and have it retain the same functionality. Take the simplest case of randomly inserting NOPs. Then take it to the next level of writing multi-instruction code that is the equivalent of a NOP (the possibilities are effectively infinite). Suddenly you can obfuscate ANY chunk of machine code without changing the f
Re: (Score:1)
As the keeper of a corporate network that includes laptop-wielding field personnell, this is a major PITA. I currently have them hitting our corporate SMTP server with SMTP authentication. Until someone's ISP starts blocking or redirecting port 25, then I have to instruct the user to change their outbound SMTP server to that of their ISP (which they never know but expect me to, or to find out). Now they take the laptop out into the wild and wan
Use a different port. (Score:2)
The only real limitation here is what the client software will accept as a configuration option. Various versions of Outlook (including many of the PDA's and phones) will only allow you to set "must use SSL" which gives you port 587. If you limit those connections to ones that require a username/password, that solves that problem.
So far I haven't found a single ISP that blocks either 465 or 58
Re: (Score:2)
It amazes me how many sys admins would scoff at using telnet to log into a server, make sure all their web apps r
Re: (Score:2)
Mine already DOES this, the problem is, I have a few legit uses for that port (well, at least not illegal). At least 3 I have had did it, same as port 80. They use the virus EXCUSE, but it's just that...
One e-mail address to rule them all.. One e-mail.. (Score:4, Interesting)
So bots and spam and worms and identity phishers don't get to me. Part of the reason is that I simply don't pay attention to e-mails from unsolicited sources. That's half the reason cyber crime works at all: people are idiots when it comes to computers. Odds are you know someone who sees a pop-up disguised to look like an authentic Windows message box and clicks on the buttons thinking they are actually talking to Windows and not some porn-site-based phisher and thief. Odds are you know someone who thinks those e-mails are from someone with an actual product instead of a phishing scam, like a second chance offer from www.ebay.cra.cz or something similar.
These criminals are simply separating stupid people and their money. I know, I know, it's a harsh perspective. You know somebody who got nailed so you want to mod me down because I called your friend stupid. Well, hopefully they learned. The saying goes, fool me once, shame on you, fool me twice, shame on me. It's true.
TLF
Re:One e-mail address to rule them all.. One e-mai (Score:2)
Like you, I've got an array of email address (scores of them, actually), with one final true "use this if you must reach me" email address known only to a very few close, personal, and technologically savvy friends. Gradually I blacklist the ones that get too much spam, but sadly the primary general-acquaintances email address is in full spammer rotation now, and I may have to drop it soon. That will be painfu
Re:One e-mail address to rule them all.. One e-mai (Score:2, Funny)
Re: (Score:1)
What are you apologising for? We all know that George Bush can't read
Re:One e-mail address to rule them all.. One e-mai (Score:2)
That's about how many I actively use, what with my various domain names, servers, and all.
Sounds like you're putting out a lot of effort out for ..
Re:One e-mail address to rule them all.. One e-mai (Score:4, Interesting)
What would you think if professionals in these various areas figured you were a moron because you did a stupid in their field of expertise?"
These are not cases of being a moron because you don't know how to do something, it's because you ignore that you are not smart enough to do them. A lot of people get their cars fixed for them, hire lawyers, have people do their taxes, etc... How many people forward their emails to people to make sure they are legit? None. People who don't know how to drive but drive anyway and crash the car have only themselves to blame, this case is the same.
Emails are too easy to get, if it was harder; cases of this would drop by a LOT, because people who didn't know how to use emails wouldn't be using them. Not like that's going to happen, or if it would even be a good thing, but it does say people should avoid messing with things they can't comprehend.
Re:One e-mail address to rule them all.. One e-mai (Score:1)
Re: (Score:2)
TLF
Learner's license. (Score:2)
Re: (Score:2, Insightful)
To be fair, one of the reasons that OE/IE/Windoze are so insecure is that they're so popular - and thus, hackers/etc work overtime to find every little security hole. If everyone switched over to say, Thunderbird/Firefox/Linux, then the hackers/etc would do the exact same thing as what they're doing to IE/OE/Windoze.
Re: (Score:1)
ISPs are not going to pressure their users, Joe User could simply switch to another company, or feel abused and bring the case to justice, or something like that.
Universities, gov't institutions in general... There is politics everywhere you walk in those places. No tie-wearing person wants to burn him/herself forcing people to use non-Windows OSes, to prohibit usage of Outlook Express, to prohibit installation of junkware into their Windows boxes, even making the
Educating people would not hekp! (Score:1)
You may think that spammers send you their spam because they are trying to sell you something, and that you outsmart them by filtering their spam out, or by recognizing it and refusing on principle to buy from them (if perhaps they are selling something you wanted).
Spammers are not sending their spam to you. They are sending to someone else who will never learn and will buy whatever they are selling. The fact that you are getting spam is a side-effect. If
Jail one spammer a month (Score:5, Insightful)
What we need is more effective law enforcement. There aren't that many spammers any more. Look how few different spams show up. The top three or four spams represent most of the volume. We need a law enforcement effort aimed at finding the top ten spammers and putting them in jail.
Re: (Score:1)
The reason for spam is that someone is making money from the spam.
Go after the companys that are benefiting from spam - and take All the money they make and then some. AND go after the stupid consumer who is actually answering spam and buying stuff.
Of course, to do anything we need to define what Spam is, and what it is not. Give marketers a way to direct market without the email in question being spam (I'm a fan of OPT-IN only lists, you can send to me only if I ask you to) -
Re: (Score:2)
How many people bought FOO.OB in the weeks before the spam? Those things can be traced. It might require applying pressure to a number of intermediaries to follow the money, but that's not impossible; it's just hard work.
One of the problems with law enforcement is that they generally don't have big travel budgets. It's unusual for cop types to just get on a plane and go someplace - they need too much authorization. What's needed is an anti-spam consortium funded by big mail recipients like AOL and Go
Printable version (Score:2, Informative)
http://www.washingtonpost.com/wp-dyn/content/arti
Designer Diseases (Score:2)
Protecting computers from vulnerabilities that need not be there in the first place is a multi-billion dollar business encompassing thousands of product and service vendors world-wide that ultimately trickle capital back up the vulnerability supply chain.
This bizarre altruistic myth of Microsoft working around the clock to solve these problems, to deliver the customer a trouble-free computing experienc
Neuter the zombies (Score:3, Interesting)
DONE! (Score:3, Informative)
ISP's don't want to pay for this (Score:2)
How limit outbound SMTP... (Score:2)
This wouldn't do anything to reduce DDOS's though.
Re: (Score:2)
Solve it at a higher level. (Score:2)
If I were doing it, I'd setup multiple networks. Different clients have different characteristics so why shouldn't they be on different networks that support those characteristics? And each with its own outbound email servers.
a. The cheapest monthly rate would go to customers who would accept a block on all outbound port 25 traffic. They only route to your email server and that is monitored. Anyone suddenly sendin
Re: (Score:2)
This way:
From me:
Re: (Score:2)
Re: (Score:2)
We already know where the zombies are. Hard working volunteers collect and publish (among other things) zombies, an ever growing list of the nodes used to carry out spam runs, DoS attacks, and other mischief.
cbl [abuseat.org], sorbs [sorbs.net], uceprotect [uceprotect.net], wpbl [wpbl.info], and others all publish this info in near realtime
That's where the info is. A responsible ISP has to search the lists [pc-tools.net] for their hosts and then go from there.
Spamkillers and Law Enforcement Are Not Effective (Score:2, Insightful)
The attached image is my own personage representing me as a reasonable and trusted person. My truthful intentions are above reproach and presented to you in a reasonable and trusted manner.
I get one of these about every other two or three months. I just build another filter and notify my ISP.
This is all Microsoft's fault! (Score:1, Insightful)
I hate that argument, because its completely incorrect. The vast majority of people who use computers have little idea how they work, or the difference between viruses and spyware and adware. If it's easy for them to do what they need to do, they'll be happy. Linux may be extremely secure, but the reason it is hardly used as a desktop OS is because the vast majority of people don't know how to easily do what the
Re:This is all Microsoft's fault! (Score:5, Insightful)
Microsoft has done quite a decent job of making this balance in Windows.
What a joke. The following are purely design flaws which you cannot excuse by saying that they are being exploited only because Windows/Office are popular.
1. By default, all userland applications are granted Administrator's privileges. I cannot think of a suitable comment for this stupidity.
2. By default, IE is capable of running applets with the said privileges. This would be dumb even if they were user privileges. Executable code which affects the system should be downloaded and then run locally. Just two more clicks, but now even a very dim user knows that a program is being run, whereas before he assumed that he's just browsing the Web.
3. The de-facto document exchange format, .doc, is imbued with executable code
which, wait for it... runs with administrative privileges. Let's not whine about
how .doc is not an exchange format, because it is. That's what people corroborate on and
email each other for revisions. It has its flaws but it does a good job. Sticking
VBA in it is like handing little Johnnie a vial of nitroglycerin and saying: now
be a good kid; if you jump too much, you won't have a good time.
4. Getting a program involves running an executable file. This is a very grave flaw in the design. Much malware would be curbed if MS switched to a good packaging scheme and eliminated the need of ever dealing with .exe (for a not-so-clever user, that is). Ubuntu can do it, why cannot Microsoft?
On my laptop, the only program I ever had to install by hand was ies4lin. Everything
else (and I am quite a whore when it comes to software) was available through the
Multiverse. Once a user is shown the kosher way of installing new programs,
i.e. from inside the package manager which talks to the trusted repositories,
he will naturally regard standalone files as suspect, and most likely will
not even encounter them.
These are just off the top of my head. All four are atrocious decisions, given that catering to the lowest common denominator is in Microsoft's mission statement. All four became problems because MS chose to completely ignore the fact that every Windows computer is connected to the Internet. Why bother? The monopoly status works just fine.
I wish I could use Linux... (Score:1)
Wow!, now how did you know you need to run "dfs3dse". Oops, sorry, it was "ies4lin". How did you know this?
I really wish I could use Linux. Well, I managed to use it a little bit, but not in a very useful way. After Mandrake 9 failed to install completely leaving me with the task of providing a graphics driver for my very common ATI card from 1998 that it could not provide, and leaving me with a text only interface but with no instructions
Re: (Score:2)
You might want to get an old desktop box. Old but not too old: 3 years would do nicely. Avoid flashy components. Avoid wireless for now (some research might be required to make it work), get Intel accelerated on-board graphics. You can get that virtually for free these days. Put it in the corner of your flat (or, as we say on Slashdot, your parents' basement) and install the easy-going Ubuntu.
I am not saying that GNU/Linux won't work with wireless, by the way. Almost any card is supported through the ndis
Re: (Score:1)
Re: (Score:2)
Well, dude, it will sound too obvious, but you cannot "give GNU/Linux a try" unless you get it running. It sounds like you are running a bad streak, but do not let that discourage you. Because of little to no hardware testing by the industry, installing Linux can range from a walk in a park to pulling live teeth. You just have to give it another try with different hardware. Just a few days ago I ran into an old IBM box which caused the latest Ubuntu (live) CD to crash with the kernel panic before I could go
Not exactly. (Score:5, Insightful)
Yes, I can agree with that.
And it is not going to change. Which is why it is necessary for the OS vendors to ship their product so that the default configuration is as locked down as possible. In my opinion, Ubuntu achieves this in an admirable fashion.
Actually, that would be because of Microsoft's monopoly on the desktop. Breaking free of the monopoly takes a LOT of effort.
Nope. Look at a Mac. Talk to Mac users. They don't need to become experts on their systems to use them more securely than Windows. This is because Apple has implemented a more effective security model than Microsoft.
But it is Microsoft that is using the monopoly to restrict access to more secure systems. Don't blame the users if the monopoly is actively trying to limit the options.
Why do you have to turn off the firewall so you can run your IM program? Would you accept a car that you had to disable the air bag in order to play a CD? Ubuntu is effectively immune to worms because it, by default, does not have any open ports.
Microsoft is skipping the FIRST rule of security: do not run anything that is not absolutely necessary.
The reason that so many Windows machines are infected is NOT because they're running some IM client without a firewall. It's because the default configuration was insecure. Too many services that were not needed were running and vulnerable.
If 100% of the Windows boxes start vulnerable - you need a LOT of extra work to secure them.
If 100% of the boxes start without open ports - you'll need a LOT of extra work just to make them vulnerable.
In the end, it all comes down to how much effort is needed. Start secure and you'll always win that scenario.
Old people! (Score:5, Informative)
An anonymous reader writes to point out the Washington News's analysis of this year's spike in telemarketers gulling lonely old people, such as lonely old men and lonely old women, out of their life's savings.
As long as there is prey, there will be predators. Stamping out the predators is a game of whack-a-mole, so the best solution is to try to educate the prey. And if you can't, well, what are you going to do? Legislate against it? Pfft!
--Rob
Re: (Score:2)
Re: (Score:2)
so the best solution is to try to educate the prey
They breed faster than you can educate them. Until "do not buy from spammers" becomes something every 4-year old is told together with "don't take candy from strangers", education is and will remain a total failure.
I've been doing security for 10 years now. User education is a desaster, a failure and a total waste of time. I have yet to see a single security problem being solved by user education. In the corporate environment especially giving an order and threaten everyone with being fired if they don't o
What's Vista Got to Do With Anything? (Score:2)
Honestly, if you eagerly waiting for Vista to accomplish anything for you other than make you $200 poorer, you're fooling yourself.
Schwab
Random Thoughts (Score:4, Insightful)
So, under the auspices of Economic Security, some random ideas to rebuild confidence in the email network:
The domain name is the primary reference point for a reputation base. If a domain can be spoofed, reputation fraud ("Identity theft") becomes more likely. So, harden DNS with some ubiquitous public key crypto. If you want a domain, you must provide a public key; the key authenticates you to modify the entry. If you lose the key, tough cookies; you'll have to wait for the registration to expire before you can regain control of it.
All clients presenting mail for delivery must present credentials. No credentials, no delivery. In an ideal universe, the client's credentials (public key?) would be presented as part of the SSL connection, so the SMTP server wouldn't have to do anything special.
If you're not on the local subnet, and your IP is not registered as a Mail Exchange, then no relaying for you without prior arrangement. Assuming a hardened DNS, we can reasonably rely on the authenticity of the MX record.
Blanket blocking of connections on port 25 is excessive -- some people have a legitimate need to drop mail on smarthosts outside the local subnet. However, if the routers observe an internal IP address spraying port 25 connections to, say, a dozen different IPs over the course of a minute, then that's probably something the network admins would want to look at more closely. This would do nothing to thwart a parallel "shadow" network of compromised hosts acting as spam relays for the subnets on which they're located. But for a while you'd get a pretty good map of machines to clean up.
Schwab
Re: (Score:2)
Your post advocates a
(*) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be ab
Future of e-mail? (Score:2)
If reports are to believed we're closing in on a point when nearly 100 percent of messages will be spam. The spam blockers that were effective a year ago are becoming increasingly leaky.
Whitelists may work for some people, but not for anyone running a business. Proposals that require tens of thousands of ISPs to significantly change how they handle mail probably aren't going to fly unless legislated. And legislation will only work within t
What kind of expert ... (Score:3, Insightful)
... thinks Vista will change anything? The exploits are already being marketed and published. It reminds me of the "use XP SP2" chorus, when the only thing that did was break existing applications and push more obnoxious EULAs and DRM. We will soon see the Vista added to the list of threats which currently list XP, 2000, XP, 98 etc back to the earliest version the watchers care to add. The reason those threats typically break every previous version of Windoze is because M$ rarely rewrites anything and the same old binaries are passed on from version to version. Vista was made the same way the other versions were and the same old process is going to yield the same old results. Vista is the same old same old.
Exiting machines? (Score:1)
So, let me get this straight, even if customers rush to upgrade exiting machines.... wait, brainfry.
Let me try that again.... Exiting machines...
Nope, there goes my brain.
Vista to fix everything? (Score:3, Insightful)
And if they can fix security problems with One Care, why couldnt they fix them in the OS in the first place?
So first, we pay MS for the OS... then we have to pay them again to make it secure? Sounds like a scene from The Godfather.
Anti-botnet botnet? (Score:3, Interesting)
Of course, with as much money as there is in hacking type stuff, I'd be afraid of the enemies I'd be making.
Vista? Yeah, right... (Score:2)
Experts worry that businesses will be slow to switch to the [Windows Vista]
Oh yeah, the "most secure windos ever". That's like saying you've just created the least leaky sieve ever. Come on, the consumer version isn't even out yet and there are already exploits. Within a year, Vista will be full of holes just like XP is today. Doesn't anyone remember that they made the identical claims regarding security when XP replaced 98/ME ?
Shut down bots. Only option to get rid of the networks. Make people care. Pass a law that forces ISPs to shut down known bot-infected customers until they
Vista Upgrade Cost Prohibative (Score:1, Insightful)
I Can't Believe It (Score:1)
spamming techniques (Score:1)
wg
Easy to stop spam.... (Score:1)